diff options
| author | Dan Prince <dprince@redhat.com> | 2013-02-15 10:41:30 -0500 |
|---|---|---|
| committer | Dan Prince <dprince@redhat.com> | 2013-02-22 12:21:51 -0500 |
| commit | 20fb97df97cdfcbc1d98a0b1f7d94806d996e274 (patch) | |
| tree | dc093ae87e8c16d52f915e5c7162dc8718da22f4 /nova/api | |
| parent | a42845e455c74f41852babbbd09a3514021ea71d (diff) | |
| download | nova-20fb97df97cdfcbc1d98a0b1f7d94806d996e274.tar.gz nova-20fb97df97cdfcbc1d98a0b1f7d94806d996e274.tar.xz nova-20fb97df97cdfcbc1d98a0b1f7d94806d996e274.zip | |
Updates to OSAPI sizelimit middleware.
Updates the OSAPI sizelimit middleware so that we use avoid calling
len on a request body which could cause a really large request
to get buffered into memory.
Also updates the middleware to return HTTP 413 which is a more
correct error code in this case (previously it returned just 400).
Fixes LP Bug #1131857.
Change-Id: Id8bc5eeb0fba9482809edd12543a75163e1227e9
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/sizelimit.py | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/nova/api/sizelimit.py b/nova/api/sizelimit.py index 67d459583..1e88f183e 100644 --- a/nova/api/sizelimit.py +++ b/nova/api/sizelimit.py @@ -37,6 +37,35 @@ CONF.register_opt(max_request_body_size_opt) LOG = logging.getLogger(__name__) +class LimitingReader(object): + """Reader to limit the size of an incoming request.""" + def __init__(self, data, limit): + """ + :param data: Underlying data object + :param limit: maximum number of bytes the reader should allow + """ + self.data = data + self.limit = limit + self.bytes_read = 0 + + def __iter__(self): + for chunk in self.data: + self.bytes_read += len(chunk) + if self.bytes_read > self.limit: + msg = _("Request is too large.") + raise webob.exc.HTTPRequestEntityTooLarge(explanation=msg) + else: + yield chunk + + def read(self, i=None): + result = self.data.read(i) + self.bytes_read += len(result) + if self.bytes_read > self.limit: + msg = _("Request is too large.") + raise webob.exc.HTTPRequestEntityTooLarge(explanation=msg) + return result + + class RequestBodySizeLimiter(wsgi.Middleware): """Limit the size of incoming requests.""" @@ -45,9 +74,11 @@ class RequestBodySizeLimiter(wsgi.Middleware): @webob.dec.wsgify(RequestClass=wsgi.Request) def __call__(self, req): - if (req.content_length > CONF.osapi_max_request_body_size - or len(req.body) > CONF.osapi_max_request_body_size): + if req.content_length > CONF.osapi_max_request_body_size: msg = _("Request is too large.") - raise webob.exc.HTTPBadRequest(explanation=msg) - else: - return self.application + raise webob.exc.HTTPRequestEntityTooLarge(explanation=msg) + if req.content_length is None and req.is_body_readable: + limiter = LimitingReader(req.body_file, + CONF.osapi_max_request_body_size) + req.body_file = limiter + return self.application |